jQuery was downloaded more than 120 million times in the last 12 months, which is equivalent to the number of downloads for Vue.js (40 million) and Bootstrap (79 million) combined. Snyk reports that four vulnerabilities had been found for Vue.js, all of which have been fixed. Bootstrap contained seven cross-site scripting (XSS) vulnerabilities. Three of these were disclosed in 2019 and there are no security fixes or upgrade paths to avoid them. In the case of jQuery, Snyk tracked six security vulnerabilities affecting jQuery across all of its releases to date. Four are medium severity Cross-Site Scripting vulnerabilities, one is a medium severity Prototype Pollution vulnerability, and the final one is a low severity Denial of Service vulnerability.
The report concludes that unless you are using jQuery 3.4.0 and above then you are using vulnerable jQuery versions.
Read more of this story at Slashdot.